<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7651.14">
<TITLE>Re: [Seaside] Passing links around - a security issue?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>I use it on VisualWorks with swazoo, works fine. Still have to consider the fact that most networks are nat'ed so its not a complete solution, but it helps. We also use cookies for session tracking, so its a little harder to pick up a session on a different computer.<BR>
<BR>
Cheers!<BR>
<BR>
-Boris<BR>
(Sent from a BlackBerry)<BR>
<BR>
----- Original Message -----<BR>
From: seaside-bounces@lists.squeakfoundation.org <seaside-bounces@lists.squeakfoundation.org><BR>
To: The Squeak Enterprise Aubergines Server - general discussion. <seaside@lists.squeakfoundation.org><BR>
Sent: Thu Jan 25 00:37:15 2007<BR>
Subject: Re: [Seaside] Passing links around - a security issue?<BR>
<BR>
<BR>
On 24 Jan 2007, at 20:37 , Lukas Renggli wrote:<BR>
<BR>
>> On the other hand, if this is a critical security issue, it might be<BR>
>> possible<BR>
>> to navigate the object graph (session -> currentRequest -> <BR>
>> nativeRequest<BR>
>> and so on)<BR>
>> and get the peer's ip address and restrict the session to that <BR>
>> specific<BR>
>> ip address.<BR>
>><BR>
>> I must admit that this is just an idea to explore, I never tried it.<BR>
><BR>
> Back in 2004 I implemented a decoration class called<BR>
> WASessionProtector to Seaside that does exactly that. Added around the<BR>
> root component it remembers the IP from the first request and only let<BR>
> subsequent requests pass that origin from the same IP. Of course this<BR>
> does not provide an absolute security, but it is much more than doing<BR>
> nothing.<BR>
<BR>
Cool! I just saw it in the base Seaside package and it is also in the <BR>
VW port.<BR>
However I do not know if this works in VW. Has anyone tried it in <BR>
WebToolkit?<BR>
In Swazoo?<BR>
<BR>
Michel.<BR>
<BR>
_______________________________________________<BR>
Seaside mailing list<BR>
Seaside@lists.squeakfoundation.org<BR>
<A HREF="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside</A><BR>
</FONT>
</P>
</BODY>
</HTML>